About Sonatype

Articles

IT in Canada profile: Sonatype

Published: December 06, 2012 11:54

Note: Working with RBC's Barney Baldwin, IT in Canada conducted a survey of open source software management software providers as input to a feature carried in the November/December (2012) edition of IT in Canada magazine. In that article, we offered links to additional information on the key vendors in this space. In this article, we provide information gathered from Sonatype.

How Sonatype helps customers: Sonatype’s Component Lifecycle Management products were designed to enable software development organizations to establish visibility and control in a complex and agile software supply chain. With actionable component security, quality, and licensing information organizations can amplify the cost and performance benefits of open source software and reduce the risks of agile, component-based development.

Detailed information from Sonatype

What security holes do your tools identify, and how do they do this?

Sonatype’s products were designed to ensure the integrity of the open source components being used to build mission-critical software and to help organizations at every stage of the software development process. Today, enterprise applications are typically built using 75-80% open source components, with custom code comprising the rest. But there’s a fundamental flaw in the component-based development ecosystem – it lacks an update notification mechanism for open source components. To envision the implications imagine your Windows or Mac desktop had no automated software updater – how would you know when a critical security vulnerability had been discovered or a performance bug had been fixed? With tens of thousands of projects, and components being updated an average of four times per year, most enterprises cannot keep up.

As a result, organizations which rely on open source have a software supply chain that lacks visibility and control and carries with it glaring risks. Sonatype is focused obsessively on creating order amidst this chaos – developing an extraordinary capacity for bridging critical awareness gaps. First, we have built a sophisticated infrastructure for mining virtually everything knowable about a given software component. Sonatype’s event-driven knowledge engine brings together information from the Central Repository coupled with public and private metadata resources. And secondly, we have built Sonatype Insight – a platform for delivering knowledge directly into the tools that developers and development managers use every day. The tools and information services provided by Sonatype Insight enable organizations to govern development processes, to continuously monitor the health of their repositories, and to retrieve real-time alerts when critical applications are affected by newly discovered threats.

Sonatype’s approach to component integrity and open source management is known as Component Lifecycle Management. The company’s products provide practical component intelligence at every stage of the software development process so that organizations can reap the benefits of open source without the risks – security, licensing and quality. From a pure security perspective, Sonatype offers deep visibility into component security. Often when a new defect or security flaw is discovered, many organizations are left exposed, unaware of where or how they are using the effected component. With Sonatype Insight users are able to see if there are any vulnerabilities in the components they are using in their builds and production applications – not just at the top-level components but with all transitive dependencies. Insight then provides users with update notifications, alerting users when new vulnerabilities have been found.

Can your product track third party licenses as well?

Yes, Sonatype Insight products offer users real-time information on the licensing, security and popularity of components and provides a detailed view into component dependencies for any application – those being developed and those in production. The Insight Application Health Check tool allows organizations to quickly generate a bill of materials to spot check applications and code from suppliers. In minutes the tool can analyze an application, understand its composition, and uncover potential security, licensing, and quality problems. With Insight Application Health Check users can see the license breakdown for every component and the implications to the application.

Does your product help the user to determine if the open source incorporated at a project, file, or library level, or code cut/paste?

Sonatype’s products offer critical information at the component level and throughout an application’s dependency tree. A simple software application can have dozens of multi-layered dependencies which can obscure underlying issues.

Dependencies may allow flawed components to quickly infiltrate and undermine software portfolios. An example of this is a vulnerability found in Spring-beans version 2.5.6 that went on to infect 1,447 other components and thousands of applications.

Does your product help the user to determine whether the code was modified?

Yes, the Sonatype Insight platform and knowledge engine combines component usage information from the Central Repository (the code management system used by all major OS projects) with public and private metadata sources to know virtually everything about an open-source component. The product then updates users when modification or changes to open-source components occur.

Organizations may also opt to use Sonatype’s component repository manager, Nexus Professional – which sits inside the corporate firewall. Staging binary components on a repository manager like Nexus Professional, supports collaboration and control as developers can store and share approved components in one centralized location. With real-time component licensing and security information in hand, development teams can intelligently create white and black lists to avoid unnecessary risks associated with flawed components. Insight for Nexus automatically warns developers and management of security, licensing or quality defects and prevents downloads should developers request problematic components.

How does your product help users to understand if they are on the latest revision of the open source code? Does your product flag whether there have been any subsequent critical releases?

Yes, Sonatype offers a host of products and information services that leverage Insight (which knows when new releases or versions of components are available) to provide practical intelligence across the software supply chain.

In the Repository and During the Release Process: Nexus Professional is one product described above that allows teams to manage its component usage inside the corporate firewall – using the build systems of their choosing: Ant, Gradle, Ivy, Maven, and Scala. Insight for Nexus enables organizations to control procurement by creating white and blacklists and offering rules based on a variety of component information, including license type, security vulnerabilities and quality metrics. The product also generates a bill of materials to ensure open source policies are being met.

At Build Time: Insight for CI is a plug-in for Hudson or Jenkins users that brings component intelligence to build time. With Insight for CI, software developers can surface quality, security, and licensing problems and enforce open-source policy at build time, before fixes become costly and time consuming. Insight for CI supports agile development processes with analysis of every component in every build, alerting developers immediately of any changes or policy violations that put their project at risk.

Throughout Pre-Production: Insight Application Health Check lets users quickly develop a bill of materials for their application to discover security, quality, or licensing issues before they become a problem.

How do you help your users to understand if upgrading the version of the product requires any other changes - and if so, how many functional points need to change?

Sonatype Insight continuously monitors an application’s bill of materials to provide updated information on the component in use and to offer suggested alternatives if new version are available or fixes have been identified. See example of the Component Information Panel here: https://support.sonatype.com/entries/22080247-how-do-i-view-my-project-s-detailed-component-information-found-using-insight-for-ciDo you identify how active the communities supporting the open source product(s) are? (# users, frequency of releases, etc)

The Sonatype Insight dashboard and reporting mechanism lets users quickly improve component selection using the wisdom of the crowd. The popularity report, based on downloads from the Central Repository, tells users which components other developers are using. This allows developers to:

Select the best components that have been used and tested by their peers

See if new versions with bug fixes or enhancements are available

Keep repositories up-to-date with the most used and tested components

Do you help users to understand the license terms for each OS product?

Evaluating the legal obligations of open source components can be difficult and time-consuming. As shared above, Sonatype Insight delivers actionable quality, security, and licensing information about open source components utilized throughout the organization. By integrating with existing tools and processes it gives users the licensing information and management when and where it’s needed.

Transitive dependencies greatly increase the complexity of license management. Organizations need to meet the obligations of every component used by its applications, not just those directly integrated. They must be able to find hidden license conflicts that could compromise their ability to ship product.

To recap, Sonatype Insight offers the following capabilities to help users understand the licensing terms of components:

Enable developers to choose appropriately licensed components during design and development with information in their IDE